Channels

Services

Microsoft restores Hotmail encryption to Syrian and other users

Microsoft has restored the continuous SSL encryption capability to Hotmail users around the world after users in countries such as Bahrain, Iran, Syria and Uzbekistan found themselves unable to use the option. Microsoft said that "we do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world" and apologised for the inconvenience in a Solution Center entry.

On Friday, in a report on its deeplinks blog, the Electronic Frontier Foundation (EFF) had reported that Microsoft had suspended its continuous SSL encryption feature ("always use HTTPS") for its free Hotmail service in a number of countries. Hotmail users whose profile gave Bahrain, Morocco, Algeria, Syria, Sudan, Iran, Lebanon, Jordan, Congo, Myanmar, Nigeria, Kazakhstan, Uzbekistan, Turkmenistan, Tajikistan or Kyrgyzstan as the user's home country only saw the error message "Your Windows Live ID can't use HTTPS automatically because this feature is not available for your account type", according to EFF activist Eva Galperin. The problem was initially spotted by a computer engineering student in currently tumultuous Syria. The student posted an image of the denial message.

The EFF was particularly worried about the apparent move as it affected countries whose governments have little regard for the freedom of expression, and called for a speedy restoration of the service. According to Microsoft, users in the Bahamas, Cayman Islands and Fiji were also affected by the bug. The bug apparently removed the functionality on the basis of what country the user said they were in, not based on the IP address they were coming from. Users could work around the problem by changing their country setting to an unblocked country.

Microsoft has not disclosed what caused the bug. The company only introduced the always-use-HTTPS feature for Hotmail in November 2010; before this time, only the log-in procedure had been SSL-encrypted. On unsecured Wi-Fi networks, this allowed attackers using such tools as Firesheep to read users' emails or even gain account access by copying cookies.